At least one policy expert on Iran
November 5, 2025
•[ phishing, credential theft, espionage ]
The Hacker News, citing a Proofpoint investigation, describes a newly identified threat cluster dubbed UNK_SmudgedSerpent conducting credential phishing and remote access operations against more than twenty Iran focused subject matter experts at a U.S. based foreign policy think tank between June and August 2025, amid heightened IranIsrael tensions. Attackers impersonated prominent policy figures and used benign email conversations to lure victims to fake Microsoft Teams and OnlyOffice login pages hosted on health themed domains that captured account credentials. In some cases the operation progressed to deploying legitimate remote monitoring tools such as PDQ Connect and ISL Online for hands on keyboard access, supporting longer term espionage against the target institution and aligning with tactics used by established Iranian cyber intelligence groups.
At least one LastPass user
October 24, 2025
•[ phishing, credential theft, account takeover ]
Phishing emails impersonated password-vault Emergency Access notices using false death claims to coerce replies (e.g., STOP), pivoting victims to a look-alike portal tied to CryptoChameleon infrastructure; harvested credentials enabled vault takeover attempts and secondary account compromise. Campaign reflects profit-seeking credential theft across many individuals rather than a single named organization.
At least one undisclosed Ukraine war-relief organization
October 22, 2025
•[ phishing, credential theft, malware ]
Targeted credential-theft/implant delivery against humanitarian and logistics organizations aiding Ukraine using well-crafted lures, HTML smuggling, and compartmentalized infrastructure. Intent is intelligence collection; campaign report covers multiple organizations without a single verified primary effect to code as an event.
KakaoTalk account of a South Korea–based counselor
September 5, 2025
•[ spear-phishing, malware, credential theft ]
According to research by Genians reported by BleepingComputer, a North Korean activity cluster linked to APT37 and KONNI targets South Koreans via spear-phishing emails that spoof national agencies and deliver signed MSI installers. Once executed, the chain installs a remote access toolkit that steals Google and Naver account credentials, giving attackers full
Undisclosed Indian government or infrastructure organisation(s)
September 1, 2025
•[ espionage, malware, credential theft ]
Pakistan-linked APT36 used themed lures and HTML/shortcut droppers to deliver cross-platform implants on Windows and BOSS Linux systems used by Indian government organizations, enabling credential theft, persistence and covert collection. Activity is espionage-oriented with no reported service outage.
One undisclosed university in the United States
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-linked operators abused CVE-2025-53770 (ToolShell) weeks after Microsofts July patch to gain initial access at a telecom, escalate privileges (e.g., PetitPotam), harvest credentials, and deploy ShadowPad/Zingdoor/KrustyLoader for persistent espionage against telecom and government networks. Primary effect was covert access and collection, not service outage.
Government of Paraguay (employee workstation compromise)
June 7, 2025
•[ data leak, infostealer, credential theft ]
Infostealer malware installed on a Paraguayan government employees computer harvested credentials and tokens, enabling attackers to exfiltrate databases containing personal information on effectively the entire national population. Security researchers confirmed millions of identity recordsincluding names, national IDs, and contact detailswere leaked online in early June 2025. The Record verified the exposure and found no evidence of ransomware or system disruption.
Users of Indian banking mobile apps
February 11, 2025
•[ malware, phishing, data leak ]
Android malware campaign disguised as Indian bank apps, distributed via phishing links and fake APKs to install FinStealer; exfiltration of banking credentials and personal information confirmed by CYFIRMA and other researchers.
Multiple Organizations in Asia
February 6, 2025
•[ espionage, backdoor, credential theft ]
Evasive Panda, a Chinese state-sponsored group operating under the Ministry of State Securitys Guangdong State Security Department / Technical Reconnaissance Bureau, deployed a custom SSH backdoor across enterprise network devices to exfiltrate credentials and maintain long-term covert access in espionage operations identified by Cisco Talos in February 2025.
At least one undisclosed government and/or tech company
November 4, 2024
•[ state-sponsored, malware, backdoor ]
Government cybersecurity reporting described PRC state-sponsored actors using BRICKSTORM malware to maintain long-term persistence in victim environments, primarily affecting government services/facilities and IT sector organizations. In a documented case, actors accessed a DMZ web server (with a web shell present), moved laterally using service account credentials, copied Active Directory databases, pivoted into VMware vCenter, accessed domain controllers and an ADFS server, and exported cryptographic keys. BRICKSTORM provided stealthy backdoor access for command-and-control and remote operations and was used for persistence from at least April 2024 through at least September 3, 2025. The specific victim organization name was not disclosed in the reporting.
